checkpointsw / charts Goto Github PK

Is it possible to have a runAsUser for all of the securityContexts or is this not possible due to the access that this helm deployment requires? Ideally I would like to have all deployments within my cluster to run as a non-root user and for me to be able to specify the securityContext.runAsUser element.

Dear Developer,

For readability and Search Engine Optimization (SEO) it would be great if you could do the followings:

• Please provide more than 8 words in the "About" field
• Please provide relevant "Topics"

Recommended Topics:
Environments:
azure, aws, gcp
Functionality:
build, deploy, staging, operate, terraform, ansible, helm, android, cloudguardIaaS, management, gaia, threat-prevention, identity-awareness, smp, iot, cloudguard-connect, cloudguard-dome9, malware, evasion

Hi

So far, we can only set these common annotations in deployments:

Helper

{{- /* Pod annotations commonly used in agents */ -}}
{{- define "common.pod.annotations" -}}
agentVersion: {{ .agentConfig.tag }}
{{- /* Openshift does not allow seccomp - So we don't add seccomp in openshift case */ -}}
{{- /* From k8s 1.19 and up we use the seccomp in securityContext so no need for it here, in case of template we don't know the version so we fall back to annotation */ -}}
{{- if and (not (contains "openshift" (include "get.platform" .))) (semverCompare "<1.19-0" .Capabilities.KubeVersion.Version ) }}
seccomp.security.alpha.kubernetes.io/pod: {{ .Values.podAnnotations.seccomp }}
{{- end }}
{{- if .Values.podAnnotations.apparmor }}
container.apparmor.security.beta.kubernetes.io/{{ template "agent.resource.name" . }}:
{{ toYaml .Values.podAnnotations.apparmor | indent 2 }}
{{- end }}
{{- end -}}

Deployment

annotations:
{{ include "common.pod.annotations" $config | indent 8 }}

It would be nice to be able to add custom annotations. In my case, I want to configure the mutating webhook of Bank-Vaults through the annotations to inject my Cloudguard credentials retrieved from Vault directly into the pods.

Would it be possible to implement this?

Thanks a lot.

Greetings.

Runtime Protection agents need connectivity to http://mirrors.edge.kernel.org/ for downloading kernel packages. NGFW intercept the package being downloaded and fail the download if vulnerable packages are identified. Can this be switched to a secure URL so NGFW is not able to knock down the download of required kernel package? Below outputs using both http and https URL.

$ wget http://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/linux-4.14.238.tar.gz
Connecting to mirrors.edge.kernel.org (139.178.84.19:80)
saving to 'linux-4.14.238.tar.gz'
linux-4.14.238.tar.g 69% |************************************************************************************* | 103M 0:00:12 ETAwget: read error: Connection reset by peer

$ wget https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/linux-4.14.238.tar.gz
Connecting to mirrors.edge.kernel.org (139.178.84.19:443)
saving to 'linux-4.14.238.tar.gz'
linux-4.14.238.tar.g 100% |****************************************************************************************************************************| 149M 0:00:00 ETA
'linux-4.14.238.tar.gz' saved

Hello!

I'm running an EKS cluster with Bottlerocket AMIs having a Linux kernel of 5.10.102. I've deployed the 2.10.2 chart and am noticing a couple of issues. Here is one of them, the probe version it's attempting to download doesn't exist in the destination bucket.
consec-runtime-probe:0.27.1-cp-1 logs:

* Mounting debugfs
mount: /sys/kernel/debug: permission denied.
Found kernel config at /proc/config.gz
* Trying to compile BPF probe sysdig-probe-bpf (sysdig-probe-bpf-0.27.1-x86_64-5.10.102-0e3028d3e641dd8c5e4e9eed25c2a797.o)
make: Entering directory '/usr/src/sysdig-0.27.1/bpf'
make -C /lib/modules/5.10.102/build M=$PWD
make[1]: Entering directory '/host/usr/src/kernels/5.10.102'
  DESCEND  objtool
  HOSTCC   /host/usr/src/kernels/5.10.102/tools/objtool/fixdep.o
fixdep.c:170:1: fatal error: opening dependency file /host/usr/src/kernels/5.10.102/tools/objtool/.fixdep.o.d: Permission denied
 }
 ^
compilation terminated.
make[5]: *** [/host/usr/src/kernels/5.10.102/tools/build/Makefile.build:97: /host/usr/src/kernels/5.10.102/tools/objtool/fixdep.o] Error 1
make[4]: *** [Makefile:41: /host/usr/src/kernels/5.10.102/tools/objtool/fixdep-in.o] Error 2
make[3]: *** [/host/usr/src/kernels/5.10.102/tools/build/Makefile.include:5: fixdep] Error 2
make[2]: *** [Makefile:68: objtool] Error 2
make[1]: *** [Makefile:1925: tools/objtool] Error 2
make[1]: Leaving directory '/host/usr/src/kernels/5.10.102'
make: *** [Makefile:18: all] Error 2
make: Leaving directory '/usr/src/sysdig-0.27.1/bpf'
mv: cannot stat '/usr/src/sysdig-0.27.1/bpf/probe.o': No such file or directory
* Trying to download precompiled BPF probe from https://download.sysdig.com/stable/sysdig-probe-binaries/sysdig-probe-bpf-0.27.1-x86_64-5.10.102-0e3028d3e641dd8c5e4e9eed25c2a797.o

I'm not sure how to proceed here.

Hello,

I recently followed the deployment process to add dome9 cloudguard to my Azure Kubernetes Cluster but ran into an issue that is causing the deployment to fail.

The command I used for the helm deployment is:

helm install asset-mgmt cloudguard --repo https://raw.githubusercontent.com/CheckPointSW/charts/master/repository/ --set credentials.user=00000-00000-00000-00000 --set credentials.secret=00000-00000-00000-00000 --set clusterID=undefined --set addons.imageScan.enabled=true --set addons.admissionControl.enabled=true --namespace dome9 --create-namespace

And when I look at the pods and logs I get the following:

Can I get some help with the deployment and if I am doing it right?